CVE-2021-3282

Опубликовано: 01 фев. 2021

Источник: nvd

CVSS3: 7.5

CVSS2: 5

EPSS Низкий

Описание

HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the remove-peer raft operator command to be executed against DR secondaries without authentication. Fixed in 1.6.2.

Ссылки

https://discuss.hashicorp.com/t/hcsec-2021-04-vault-enterprise-s-dr-secondaries-allowed-raft-peer-removal-without-authentication/20337
Vendor Advisory
https://security.gentoo.org/glsa/202207-01
Third Party Advisory
https://discuss.hashicorp.com/t/hcsec-2021-04-vault-enterprise-s-dr-secondaries-allowed-raft-peer-removal-without-authentication/20337
Vendor Advisory
https://security.gentoo.org/glsa/202207-01
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:hashicorp:vault:1.6.0:*:*:*:*:*:*:*

cpe:2.3:a:hashicorp:vault:1.6.1:*:*:*:*:*:*:*

EPSS

Процентиль: 54%

0.00318

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-287

Связанные уязвимости

CVE-2021-3282

CVSS3: 7.5

redhat

около 5 лет назад

HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without authentication. Fixed in 1.6.2.

GHSA-rq95-xf66-j689

CVSS3: 7.5

github

около 2 лет назад

Improper Authentication in HashiCorp Vault

EPSS

Процентиль: 54%

0.00318

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-287